SURFconext Strong Authentication gives institutions secure access to cloud-based services linked to SURFconext. Better security is particularly critical for cloud services handling sensitive data. Such services require stronger forms of authentication than a username and password in order to limit the risk of security incidents.

Institutions can use SURFconext Strong Authentication in two ways:SURFconext acts as a link between institutions and service providers. Institutions can select the services they wish to secure with stronger authentication

1. Institution wide. In this case, SURFconext Strong Authentication is coupled with an existing authentication service (like ADFS). This enables strong authentication for a range of internal and external (cloud)services. This option is also called Second Factor Only.
2. For a cloudservice connected to SURFconext. Together with the institution, a service provider can enable SURFconext Strong authentication for its service.

SURFconext Strong Authentication gives access to cloud services via three different types of tokens: SMS, Tiqr (smartphone app) or YubiKey (USB hardware token). Users first log in with their institutional account and are then prompted to confirm their identity with their token. In this way there is a second layer of security.

Strong authentication is available at an additional fee for all institutions connected to SURFconext.

How does it work?

1. The user registers his preferred token (SMS, Tiqr or Yubikey) in the registration portal
2. User must visit his Users must visit their institution's service desk to have an authorized authorised employee verify thier his identity.
3. This employee will bind their token (SMS, Tiqr or Yubikey) to their the user's token to his account. After that the user's telephone or USB key token will be activated.
4. Now the user can log in to any service designated for strong authentication using the two-step login procedure.